CVE-2025-14463 – The Payment Button for PayPal WordPress plugin ... (How to Fix)

Q: What is the severity of CVE-2025-14463?

CVE-2025-14463 has a CVSS score of 5.3 (MEDIUM). The Payment Button for PayPal WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to create fake orders without actual PayPal transactions. Attackers can inject arbitrary transaction details, corrupt order databases, and trigger unauthorized purchase receipt emails. All WordPress sites using this plugin up to version 1.2.3.41 are affected.

📋 TL;DR

The Payment Button for PayPal WordPress plugin has an authentication bypass vulnerability that allows unauthenticated attackers to create fake orders without actual PayPal transactions. Attackers can inject arbitrary transaction details, corrupt order databases, and trigger unauthorized purchase receipt emails. All WordPress sites using this plugin up to version 1.2.3.41 are affected.

💻 Affected Systems

Products:

Payment Button for PayPal WordPress plugin

Versions: All versions up to and including 1.2.3.41

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default configuration; email sending feature exacerbates impact when enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete order database corruption, financial record falsification, email spam/abuse, and potential data integrity issues affecting business operations and customer trust.

🟠

Likely Case

Unauthorized order creation with fake transaction data, database pollution, and receipt emails sent to arbitrary addresses without actual payments.

🟢

If Mitigated

Minimal impact with proper authentication and transaction verification in place, though database cleanup may still be required.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct POST requests to AJAX endpoint with minimal parameter manipulation required; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check WordPress plugin repository for version > 1.2.3.41

Vendor Advisory: https://plugins.trac.wordpress.org/browser/wp-paypal

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Payment Button for PayPal' plugin
4. Click 'Update Now' if update available
5. If no update, deactivate and remove plugin immediately

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Block access to the vulnerable wppaypalcheckout_ajax_process_order endpoint

Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php\?action=wppaypalcheckout_ajax_process_order - [F,L]

Disable plugin

linux

Temporarily disable the plugin until patched

wp plugin deactivate wp-paypal

🧯 If You Can't Patch

Immediately disable the Payment Button for PayPal plugin
Implement web application firewall rules to block POST requests to /wp-admin/admin-ajax.php with wppaypalcheckout_ajax_process_order action

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'Payment Button for PayPal' version ≤ 1.2.3.41

Check Version:

wp plugin list --name='Payment Button for PayPal' --field=version

Verify Fix Applied:

Verify plugin version > 1.2.3.41 or confirm plugin is deactivated/removed

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-admin/admin-ajax.php with action=wppaypalcheckout_ajax_process_order from unauthenticated users
Unusual order creation spikes without corresponding payment gateway logs
Email logs showing purchase receipts to non-customer addresses

Network Indicators:

HTTP POST requests to WordPress AJAX endpoint with PayPal transaction parameters from unexpected sources

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="wppaypalcheckout_ajax_process_order" AND user="-"

📊 Metadata

CVE ID: CVE-2025-14463

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.22% exploit probability (44.4th percentile)

Published: January 17, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14463, you might also want to check these: